Vladimir Previn

more flexibility for SA Malware server static side rules is needed.

Discussion created by Vladimir Previn on Oct 18, 2017
Latest reply on Oct 19, 2017 by Vladimir Previn

I don't know if anyone else actually uses RSA malware but would like to share out pet peve issue with it. 

 

Basically the static analysis engine is tied to major releases and minor releases and is not openly customer customizable e.g. via yara.

 

E.g. most recently - doesn’t work correctly for PoC and mal docs for [as in malicious files used in crimeware and targeted attacks no longer get passed to the sandbox and analysed]

https://isc.sans.edu/forums/diary/Hancitor+malspam+uses+DDE+attack/22936/  ß used in the wild in crimeware [our partner orgs also report targeted attacks ]

more info 1 more info 2 more info 3

 

we’ve previously raised similar issues with the malware server 

 

^ essentially there needs to be a live deployable AND customer yara sig way of adding signatures and adjusting static scores WITHOUT new RPMs

e.g. yara sig here https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

 

 

To put it more simply:  customers need to be able to respond to network file threats in an adequate manner - including rapidly deploying detection rules for Office 2003/2010 static rules. [as in extracted XML content from 2010 too]

 

 

if anyone is actually using Malware server - go ping your account manager 

Outcomes